Use GPG for SSH Logins on Windows — a Problem

Using the most recent version 2.2.1 of Gpg4win, the GnupPG distribution for windows, you are able to use your GPG-keys for ssh-authentication.

In this post, I will show how to setup your environment to do exactly that: use your gpg-keys for ssh-authentication with putty.




I assume that you have already

  • downloaded and installed Gpg4win as well as
  • putty and
  • created a gpg-key for authentication purposes.

GPG now acts just like pageant

With the current version, Gpg4win contains a gpg-agent that can replace putty’s pageant. Gpg-agent will run as a background-process and will manage your gpg-keys. It will provide the necessary information needed by putty to perform an ssh-login.

But some configuration needs to be made first. The configuration file is located in a subdirectory of your user-directory:

c:\users\YOUR_USER_NAME\AppData\Roaming\gnupg\gpg-agent.conf

If gpg-agent.conf does not exist, create it with a text-editor. Add the following code-line:


enable-putty-support

Now, save and close gpg-agent.conf. There are more options available, see the documentation at gnupg.org for details.

Start gpg-agent

Now you can open a windows-command-shell and run gpg-agent --daemon. Make sure that gpg-agent.exe is covered by your PATH environment variable.

windows shell gpg-agent
windows shell gpg-agent

The agent should start and show something similar to this:

gpg-agent running
gpg-agent running

The Problem

Now your gpg-agent is running in the background and holds you private gpg key for authentication. The next step would be convert your public gpg key into a public ssh-key to store it on the server in your ~/.ssh/authorized_keys file. If your client machine would run Linux or Mac OS X, everything would be fine. There, you would have a command-line-tool called gpgkey2ssh, which conveniently converts gpg-keys into compatible ssh-keys.

But Gpg4win does not provide this tool. There is no gpgkey2ssh.exe. Bummer!!!

So, as a matter of fact, were are fragged.

You can still log in with putty to the ssh-server now, but you will be asked for your account password all the time. One of SSH’s big advantages, in my opinion, is that this password-request during logins is omitted.

Solutions?

It would be great, if Gpg4win would add gpgkey2ssh.exe.

I have tried to build GnuPG myself in a cygwin environment. It took me some time, but in the end it worked and that build contained a gpgkey2ssh.exe. But it ran only within the cygwin shell. That’s not a solution I would recommend to everyone.

2 thoughts on “Use GPG for SSH Logins on Windows — a Problem”

  1. Maybe this helps

    OpenSSH to GnuPG

    First we need to create a certificate (self-signed) for our ssh key:

    openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem
    We can now import it in GnuPG

    openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12
    gpgsm –import ssh-key.p12
    Notice you cannot import/export DSA ssh keys to/from GnuPG

Comments are closed.